When configuring a Windows 10 Always On VPN device tunnel, the administrator may encounter a scenario in which the device tunnel does not connect automatically. This can occur even when ProfileXML is configured with the AlwaysOn element set to “true”.
Manual Connection
An administrator can establish a device tunnel connection manually using rasdial.exe however, indicating no issues with connectivity or authentication that would prevent a successful automatic connection.
Root Cause
This scenario will occur when the device tunnel configuration is applied to a Windows 10 Professional edition client.
Device Tunnel Support
The Windows 10 Always On VPN device tunnel is supported only on Windows 10 1709 or later Enterprise edition clients that are domain-joined. To ensure the device tunnel connects automatically, upgrade to Windows 10 Enterprise 1709 or later and join it to a domain.
Windows 10 Always On VPN and DirectAccess both provide seamless, transparent, always on remote network access for Windows clients. However, Always On VPN is provisioned to the user, not the machine as it is with DirectAccess. This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on. For example, pre-logon connectivity is required to support remote logon without cached credentials. To address this issue and to provide feature parity with DirectAccess, Microsoft introduced support for a device tunnel configuration option beginning with Windows 10 version 1709 (Fall creators update).
Learn Windows 10 Always On VPN today! Register for an upcoming Always On VPN Hands-On Training class. More details here!
Prerequisites
To support an Always On VPN device tunnel, the client computer must be running Windows 10 Enterprise or Education version 1709 (Fall creators update) or later. It must also be domain-joined and have a computer certificate with the Client Authentication Enhanced Key Usage (EKU) issued by the organization’s Public Key Infrastructure (PKI).
In addition, only the built-in Windows VPN client is supported for Always On VPN device tunnel. Although Windows 10 Always On VPN user connections can be configured using various third-party VPN clients, they are not supported for use with the device tunnel.
VPN ProfileXML
The Always On VPN device tunnel is provisioned using an XML file. You can download a sample VPN ProfileXML file here. Make any changes required for your environment such as VPN server hostnames, routes, traffic filters, and remote address ranges. Optionally include the trusted network detection code, if required. Do not change the protocol type or authentication methods, as these are required.
Once the ProfileXML file is created, it can be deployed using Intune, System Center Configuration Manager (SCCM), or PowerShell. In this post I’ll cover how to configure Windows 10 Always On VPN device tunnel using PowerShell.
Client Configuration
Download the PowerShell script located here and then copy it to the target client computer. The Always On VPN device tunnel must be configured in the context of the local system account. To accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities. Download PsExec here, copy it to the target machine, and then run the following command in an elevated PowerShell command window.
Another elevated PowerShell window will open, this one now running in the context of the local system account. In this window, navigate to the folder where you copied the PowerShell script and XML file to. Run the PowerShell script and specify the name of the ProfileXML file, as shown below.
To verify creation of the VPN device tunnel, run the following PowerShell command.
Get-VpnConnection -AllUserConnection
Note: In Windows 10 releases prior to 1903 the ConnectionStatus will always report Disconnected. This has been fixed in Windows 10 1903.
Server Configuration
If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) as your VPN server, you must enable machine certificate authentication for VPN connections and define a root certification authority for which incoming VPN connections will be authenticated with. To do this, open an elevated PowerShell command and run the following commands.
Using PowerShell to provision an Always On VPN device tunnel is helpful for initial testing and small pilot deployments, but it does not scale very well. For production deployments it is recommended that Microsoft Intune be used to deploy Always On VPN device tunnel.
Deploy Device Tunnel with Intune
Guidance for deploying an Always On VPN device tunnel using Microsoft Intune can be found here. You can also view the following demonstration video that includes detailed guidance for provisioning the Always On VPN device tunnel using Microsoft Intune.
Summary
Once the Always On VPN device tunnel is configured, the client computer will automatically establish the connection as soon as an active Internet connection is detected. This will enable remote logins for users without cached credentials, and allow administrators to remotely manage Always On VPN clients without requiring a user to be logged on at the time.
Windows 10 Always On VPN hands-on training classes now forming. Details here.
Since the introduction of Windows Server 2012 in September of 2012, no new features or functionality have been added to DirectAccess. In Windows Server 2016, the only real change aside from bug fixes for DirectAccess is the removal of Network Access Protection (NAP) integration support.
Figure 1. Remote Access Setup wizard with NAP integration option in Windows Server 2012/R2.
Figure 2. Remote Access Setup wizard without NAP integration option in Windows Server 2016.
DirectAccess Roadmap
It’s clear to see that Microsoft is no longer investing in DirectAccess, and in fact their field sales teams have been communicating this to customers for quite some time now. Microsoft has been actively encouraging organizations who are considering a DirectAccess solution to instead implement client-based VPN with Windows 10.
Always On VPN
New features introduced in the Windows 10 Anniversary Update allow IT administrators to configure automatic VPN connection profiles. This Always On VPN connection provides a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. It comes with some additional benefits as well.
Conditional access and device compliance with system health checks
Windows Hello for Business and Azure multifactor authentication
Windows Information Protection (WIP) integration
Traffic filters to restrict VPN network access
Application-trigger VPN connections
DirectAccess Deprecated?
There has been rampant speculation that Microsoft plans to deprecate and retire DirectAccess. While that may in fact be true, Microsoft has yet to make a formal end-of-life announcement. There’s no reason DirectAccess and VPN couldn’t co-exist, so it’s not a certainty Microsoft will do this. However, there’s also no need to have multiple remote access solutions, and it is abundantly clear that the future for Microsoft remote access is Always On VPN and not DirectAccess.
Windows 10 Always On VPN has some important advantages over DirectAccess. It has some crucial limitations as well.
Advantages
Always On VPN supports non-Enterprise Windows 10 client SKUs (Windows 10 Home and Professional)
Always On VPN includes support for granular network access control
Always On VPN can use both IPv4 and IPv6
Always On VPN is infrastructure independent. In addition to supporting Windows RRAS, any third-party network device can be used such as Cisco, Checkpoint, Juniper, Palo Alto, SonicWALL, Fortinet, and many more
Disadvantages
Always On VPN works only with Windows 10. It is not supported for Windows 7
Always On VPN cannot be managed natively using Active Directory and group policy. It must be configured and managed using Microsoft Intune. Alternatively, Microsoft System Center Configuration Manager (SCCM) or PowerShell can be used.
DirectAccess or Always On VPN?
Should you deploy DirectAccess today or implement Always On VPN with Windows 10 instead? That depends on a number of factors. It’s important to understand that DirectAccess will be fully supported through the lifecycle of Windows Server 2019. If DirectAccess meets your needs today, you can deploy it with confidence that it will still have a long support life. If you have reservations about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps that’s a better choice. If you’d liketo discuss your remote access options in more detail, fill out the form below and I’ll get in touch with you.
Windows 10 Always On 
